What: Decades ago, insurance companies added a total pollution exclusion to commercial general liability policies in response to rulings allowing coverage for the costs of pollution cleanup. In the years after insurance companies first included this exclusion, insurers used the broad wording of the pollution exclusion to deny coverage for an increasingly larger amount of alleged contaminants. Today, commercial policyholders may face the same risks with the cyber liability exclusion. Intended to exclude coverage for data-breach-related claims under CGL policies, the broad wording of the cyber liability exclusion creates the potential for similar expansion and resulting coverage gaps in today’s interconnected world. Join us for a detailed discussion of the potential risks and coverage gaps facing policyholders, as well as strategies for preserving coverage
and eliminating potential gaps.

What: Does it pay to be covered for cyber liability? For many companies, the answer is an unqualified “yes.” During this webinar, you will learn about the types of cyber insurance coverage available in the insurance market today, including coverage for business interruption and cyber extortion, as well as pre- and post-loss services included in cyber policies. This webinar will provide the tools necessary to evaluate whether your company would benefit from cyber insurance, an increasingly important part of corporate insurance programs.

As the demand for insurance coverage for cyber-related losses continues to grow, more insurance companies are offering cyber insurance policies and endorsements, but the market is far from mature and the available policies far from complete. Insurers have not adopted a unified approach to cyber policies, nor do they offer identical coverages. Due to the variance between available cyber insurance policies and endorsements, policyholders should carefully weigh their cyber risks against proposed cyber coverage to understand the scope of coverage actually available to address company exposures. Insureds should closely examine policy wording, rather than relying on policy labels or marketing materials.

One of the first published cases interpreting a cyber policy illustrates this point. When hackers accessed 60,000 credit card numbers in P.F. Chang’s customer database, the restaurant chain’s cyber policy covered the costs of the forensic investigation into the cause of the data breach to prevent a recurrence, as well as the costs of defense against customer lawsuits arising from the breach, to the tune of some $1.7 million (P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co.). Most cyber policies include coverage for first-party losses as well as liability to third parties. Unfortunately, P.F. Chang’s cyber policy did not cover the nearly $2 million in expenses imposed by credit card issuers such as MasterCard to pay for such items as notifications to cardholders and reissuance of credit cards compromised by the breach. Many cyber policies offer coverage for these types of fines and penalties, albeit for an additional premium.

Those expenses, including fines and penalties, were passed through to P.F. Chang’s via its Master Services Agreement with the restaurant’s third-party credit card processor, Bank of America Merchant Services (BAMS). The agreements between servicers such as BAMS and credit card associations require the servicers to abide by Payment Card Industry Data Security Standards (PCI-DSS) and pay for losses arising from a data breach. These rules and obligations were incorporated into the contract between P.F. Chang’s and BAMS, requiring P.F. Chang’s to reimburse BAMS for any PCI-DSS assessments.

P.F. Chang’s and other restaurants and retailers rely on these servicers to process credit-card transactions on a daily basis. Yet in no less than three places, P.F. Chang’s cyber policy excluded liability assumed under a contract such as the one with BAMS. The “reasonable expectations” doctrine in Arizona that favors policyholders could not save P.F. Chang’s from the court’s interpretation of the plain wording of the policy.

A contractual liability exclusion is a standard exclusion in most commercial general liability policies. However, the exclusion typically incorporates exceptions for “insured contracts.” CGL policies incorporate this exclusion because these policies are primarily intended to cover a third party’s tort claims against a policyholder, not a policyholder’s financial losses arising from a contract. CGL policies also typically exclude coverage for fines and penalties such as those imposed by credit card associations. The P.F. Chang’s decision highlights the need for contractual liability, fines and penalties coverage for policyholders who accept credit card payments.

On January 27, 2017, the Ninth Circuit granted a joint stipulation to dismiss P.F. Chang’s appeal of the district court’s decision after the parties reached a settlement. We do not know the details of this settlement, although this settlement preserved this insurer-friendly decision to the detriment of policyholders.

This watershed case is a cautionary tale. The wild world of cyber-related risks is difficult to pin down – ranging from the obvious but mundane, such as theft of a company laptop, to the worst case scenario of a system-wide hack that could cause a major disruption and loss of business and extensive liability. As P.F. Chang’s shows, it pays to assess your company’s risks and closely examine your policy to ensure you have the coverage you need.

Search…

About

Bradley’s “It Pays to Be Covered™” Blog discusses insurance law developments and industry trends in property and casualty insurance, including the growing cyber insurance market, coverage for drones, and blockchain exposures.

About Our Policyholder Insurance Coverage Practice Team

Our policyholder insurance coverage team represents policyholders worldwide on matters involving every type of property and casualty insurance. We help policyholders access valuable coverage for all types of exposures, including property and business interruption, commercial general liability, cyber, drones, auto, errors and omissions and professional liability, directors and officers liability, and employers’ liability. Our attorneys have handled matters involving virtually every type of property and casualty insurance policy available in the market today, and have recovered hundreds of millions of dollars in insurance for all types of losses and liabilities. We focus on efficiently maximizing the value of each policyholder’s insurance portfolio, and we leverage our extensive experience to help insureds procure policies and manage insurance portfolios of all sizes and geographic scope, analyze and file claims, and resolve any resulting disputes.Read More…

About Our Firm

Bradley is a national law firm with a reputation for skilled legal work, exceptional client service, and impeccable integrity. Our more than 500 attorneys provide business clients around the world with a full suite of legal services in dozens of industries and practice areas. Bradley’s nine offices are located in Alabama, Florida, Mississippi, North Carolina, Tennessee, Texas, and the District of Columbia. This extensive geographic base provides the foundation to represent clients on a national and international basis. We frequently serve as national coordinating counsel, regional counsel, and statewide counsel for clients in various industries. Read More…